Hackers Steadily Get Profit From EOS DApp Vulnerabilities

Published date: Wednesday March 13, 2019.

Although thieves have exploited the vulnerabilities in exchanges and various projects to steal tokens in the past, their new focus now seems to be pegged on Internet 3.0, the Dapps. Many of the existing dApps have fallen victim to hackers in recent months. The new addition to the list, and currently the most affected, is the EOS Dapp vulnerabilities category.

The repetitive attacks are continuously exposing EOS DApp vulnerabilities vulnerability and act as a constant reminder for the development team to patch up the holes soon. Otherwise, EOS may soon face the same fate that Ethereum faced due to congestion arising from the DApp ecosystem. So far this March 2019, hackers have already stolen from the seven EOS decentralized applications.

Happy Valley

On March 4, the hacker launched a constant attack on the EOS quiz game. The Happy Valley game hacker has already earned hundreds of EOS which the game party has already transferred to the illegal account. The attack is still a transaction crowding process registered as CVE-2019-6199 blocking.

To fix the vulnerability, it is advisable for the DApp developers to remove all controllable variables including account balance and time factor to participate in random number generation. The lost amount in this attack amounts to 419 EOS and the attacker used a trading squeeze attack method.

OnePlay

On March 5, a hacker launched a steady attack on the EOS quiz game OnePlay. They improperly acquired almost all the EOS of the game contract available. The hacker then used the same attack method to bet the game token ONE enabling them to get profits of almost one million game tokens.

The hacker then transferred the profits to the newdex exchange platform for sale. The lost amount in this attack is 449 EOS and the hacker used a random number attack.

ExtremeLoto

On March 6, attacker co****op launched a constant attack on the EOS quiz game contract xlo*****io. The involved account earned hundreds of EOS. After initial analysis, it is evident that the hacker directly uses the transfer method to make use of the game contract logic effects. Also, it is now known that multiple accounts cooperate to implement the attack. The lost amount recorded for this attack is 42 EOS. The attack method used was to directly call the project party transfer.

Fishing Joy

The attack happened on March 8 when the hacker implemented a progressive attack on the EOS quiz game known as Fishing Joy. In that process, hundreds of EOS disappeared. Analysis and investigations reveal that the attacker used the CVE-2019-6199 transaction blocking to antagonize the game to withdraw the currency which resulted in 100% profit.

The amount lost in this account is 109.33 pieces EOS. The attack method is categorized as a trading crowd attack.

Gamble EOS

An attacker targeted the Gamble EOS quiz game on March 9 and continuously attacked it. In the process, they successfully profited thousands of EOS. The entire lost amount was transferred to the Mars Exchange. In this case, the attacker used a fake transfer notice that led to the loss of 2043.6 EOS tokens.

Vegas Town

On March 10, an attacker targeted the Vegas Town EOS quiz game bombarding it with a constant attack that enabled them to acquire thousands of EOS tokens. The stolen tokens were transferred to the ZB exchange. According to initial analysis, the individual used the failed (hard_fail) transfer transaction.

The hacking strategy successfully deceived the game server which resulted in continued winning. The hacker made away with 2219 EOS.

dBet Games

The dBet Games EOS quiz game attack appeared on March 12 where the attacker launched continuous attacks. The hacker made away with hundreds of stable coins issued on EOS dubbed EUSD. The attackers sold the loot through the decentralized exchange Newdex. According to the latest reports, an equivalent of 685 EUSD tokens vanished during the attack. The attacker used the trading crowd attack method.

Solution

These are the latest attacks that show the much EOS DApp vulnerabilities that the developers must solve to reduce the continuous losses happening on a daily basis. In January 2019, the ETC 51% attackers address used on Binance was finally flagged and shared with partners. Developers need to do more than the hackers to ensure that no loopholes remain the attackers to exploit.

The response must be prompt to avoid such huge losses that continue to occur in the EOS DApp world. So far in less than ten days of March 2019, 5,281.93 and 685 EUSD tokens have already disappeared. In total, Slowmist currently records $ 4,098,587,697.68 USD worth of cryptos hacked in total.

Slowmist is striving to reduce the rate of hacking taking place in the crypto and DApp sectors. It was also majorly involved in the successful investigations regarding the Ethereum Classic 51% attack.